Dive Brief:
- Attackers are actively exploiting a critical zero-day vulnerability in Fortinet’s network and security management tool FortiManager, according to security researchers and federal authorities. The earliest exploitation was on June 27, and at least 50 organizations across various industries have been impacted to date, Mandiant said in a Wednesday blog post.
- Fortinet disclosed active exploitation of CVE-2024-47575, which has a CVSS score of 9.8, in a security advisory Wednesday. Hours later, the Cybersecurity and Infrastructure Security Agency added the CVE to its known exploited vulnerabilities catalog. Fortinet did not say how many customers are impacted or when it became aware of CVE-2024-47575 and active exploitation.
- “The exploitation observed thus far appears to be automated in nature and is identical across multiple victims,” Mandiant Consulting CTO Charles Carmakal said in a Wednesday post on LinkedIn. “However, with most mass exploitation campaigns, we often observe targeted follow-on activity at some victims.”
Dive Insight:
Exploitation of the FortiManager missing authentication for critical function vulnerability could allow a remote, unauthenticated attacker to execute arbitrary code or commands. Fortinet said attacks involved data theft, including IPs, credentials and configuration data of FortiGate devices managed by exploited FortiManager appliances.
The series of attacks mark the second actively exploited critical vulnerability involving Fortinet products in as many weeks. Earlier this month, federal authorities and security researchers alerted defenders to CVE-2024-23113, an actively exploited critical format string vulnerability in four Fortinet products.
Mandiant, which began collaborating with Fortinet to investigate the scope of malicious activity earlier this month, described the spree of attacks as a “mass exploitation” event. The motivation and origin of the threat group behind the attacks remains unknown.
The incident response and threat intelligence firm warns the stolen data could be used to further compromise FortiManager and allow for lateral movement to the broader enterprise environment.
The exploits and resulting exposure in enterprise networks represent yet another string of attacks targeting vulnerabilities in security gear from multiple vendors. Financially-motivated and nation-state linked attackers widely exploited vulnerabilities in network edge devices sold by Barracuda, Citrix, Fortinet, Ivanti, Palo Alto Networks and SonicWall during the last couple years.
A company spokesperson said Fortinet promptly communicated with customers after it identified the vulnerability. “This is in line with our processes and best practices for responsible disclosure to enable customers to strengthen their security posture prior to an advisory being publicly released to a broader audience, including threat actors,” the spokesperson said.
Fortinet advised customers to patch the vulnerability via software updates and shared indicators of compromise and steps for mitigation. Multiple versions of FortiManager and FortiManager Cloud are affected.
“At this stage, we have not received reports of any low-level system installations of malware or backdoors on these compromised FortiManager systems,” Fortinet said in the advisory. “To the best of our knowledge, there have been no indicators of modified databases, or connections and modifications to the managed devices.”